Overview

overview

10

Static

static

2db032cc50...be.exe

windows7_x64

10

2db032cc50...be.exe

windows10_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    07-04-2021 13:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe

  • Size

    572KB

  • MD5

    c882de666f59cdeff7c0f5611d18fa3f

  • SHA1

    2cd4c99affc6aaeae73c0899a77b18d66c9ff2fb

  • SHA256

    2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe

  • SHA512

    b5dd9fccc39b8131937d7a3e44487427c6f981cdba4d146a149d0801be115ec8a879da000ed40a79594458300df305d4ee6cf37bed437396fbdf3451114f6e9a

Score
10/10
emotetepoch2bankertrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

C2

212.186.191.177:80

91.242.138.5:80

173.13.135.102:80

59.110.18.236:443

45.56.88.91:443

51.68.220.244:8080

206.81.10.215:8080

80.11.163.139:21

182.176.132.213:8090

165.227.156.155:443

118.201.230.249:80

138.201.140.110:8080

46.105.131.87:80

87.106.139.101:8080

24.45.193.161:7080

209.97.168.52:8080

190.12.119.180:443

190.147.215.53:22

191.92.209.110:7080

91.205.215.66:8080
rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 25 IoCs
  • Suspicious behavior: EmotetMutantsSpam 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe
    "C:\Users\Admin\AppData\Local\Temp\2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Users\Admin\AppData\Local\Temp\2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe
      --ca061b2d
      2⤵
      • Suspicious behavior: EmotetMutantsSpam
      • Suspicious behavior: RenamesItself
      • Suspicious use of SetWindowsHookEx
      PID:1888
  • C:\Windows\SysWOW64\wraphant.exe
    "C:\Windows\SysWOW64\wraphant.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1064
    • C:\Windows\SysWOW64\wraphant.exe
      --6e93b09b
      2⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EmotetMutantsSpam
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:876

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/876-12-0x0000000000000000-mapping.dmp
    Download
  • memory/876-14-0x00000000004A0000-0x00000000004B7000-memory.dmp
    Filesize

    92KB

    Download
  • memory/876-15-0x0000000000400000-0x0000000000493000-memory.dmp
    Filesize

    588KB

    Download
  • memory/1064-11-0x0000000000B30000-0x0000000000B47000-memory.dmp
    Filesize

    92KB

    Download
  • memory/1724-2-0x00000000761E1000-0x00000000761E3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1724-3-0x0000000000260000-0x0000000000277000-memory.dmp
    Filesize

    92KB

    Download
  • memory/1724-6-0x0000000000220000-0x0000000000231000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1888-4-0x0000000000000000-mapping.dmp
    Download
  • memory/1888-8-0x0000000000400000-0x0000000000493000-memory.dmp
    Filesize

    588KB

    Download